Opinions

An Architecture for E-Voting

E-voting is a hot topic in my country, and has been discussed a lot everywhere. Since we are already using the internet and touch-screen technologies in our everyday lives, why not apply that to voting? And not for the sake of technology itself, but in order to prevent technical mistakes and election fraud, and make it easier for citizens to cast their vote and make the elections generally cheaper.

There are many concerns, some of which – relevant, including security, single points of failure, privacy, etc. Some experts claim it is impossible to make it secure enough, and that paper ballots must be used forever. On the other hand, there are several companies producing voting machines, and multiple attempts have been made to introduce e-voting, very few of which were successful. A recent audit of the Estonian e-voting system also showed some drawbacks, although the system has been in use for a while without major issues.

I’ve been thinking and discussing about the details of how a system for electronic voting can be implemented, with the following main requirements:

the results cannot be tampered with – neither by an attacker, nor by the election authorities

open source – relying on closed source and private audits is “security through obscurity”

everyone can vote – there should be no technical limitation to voting – people without internet and without profound technology skills should be able to cast a vote

guaranteed anonymity – nobody should be able to see how a person voted

only one vote per person – the system must be able to ensure that a person hasn’t voted more than once

people should be able to vote without going to a particular location

nobody should be able to replace a person’s vote

no special skills for the voting staff – ideally, voting machines should be started with one click and handle everything by themselves

guaranteed to work with power or internet outages

The requirements are more or less clear, but implementing them is tough.

In order to guarantee that nobody can change the results, the only solution that is secure enough would be a distributed one. No single database is so secure, that can prevent malicious attempts. That’s why a distributed vote database has to be used. Without being an expert in the field, I think the bitcoin blockchain gives us what we need – all nodes participating in the elections will have enough data about the results, so that even if half of them are compromised or taken out, the rest can reconstruct the exact results. It might not be the exact same implementation, but we can view each vote as a separate transaction. Communication between devices is secured by the appropriate protocols, of course.

Open source is a requirement, so that everyone can be sure that no sneaky code in the form “if (party == ‘foo’) then votes += 2”. With a checksum of the current deployed build on each device, for example. It is true, that only software engineers will be able to understand how the process works, while now everyone knows how the paper is cast, but currently even fewer people know how paper is collected, counted and how are results calculated – there’s enough “magic” happening already, from the point of view of the average voter.

Everyone should be able to vote if a simple tablet/tablet-like device is placed in the voting booth. A friend of mine, who is a field linguist, once told me that the indigenous people he’s working with love using his tablet, so anyone can use a clean touch-screen interface with clear indication of the choices. Usability is a major concern of course, and lots of usability and A/B testing has to be done, but that is doable.

Guaranteeing anonymity is one of the toughest problems. In my proposal for unified electronic identification I pointed out that there is a solution to that problem, and it’s called “anonymous credentials”. Here is an introduction to the technology. I understand how it works, but not as good as I would need to explain it. But in short, the owner of the credentials generates a token, that is used to represent him to the election authorities. The token cannot be linked to the owner, but contains enough information for the election authorities to verify if that person has the right to vote, and that he hasn’t voted already (here, the “election authority” is an automated system). The introductory article describes pretty well all aspects needed, including the “one-time spending” (4.1). What I can add is that the system can obtain some metadata about the voter – age group, gender, city, for statistical purposes (though sometimes in small town people can be traced based on a few details).

A good implementation of anonymous credentials handles both the “anonymity” and “one-time” voting, provided each citizen has only one “digital credential”. This is guaranteed in an offline process – if all citizens have a mandatory ID card that contains their digital credentials, then the identity of the person is verified once by the issuing authority, and can later be used in elections (and many other government services). And before the fear of the big brother gets you, re-read the previous paragraph as of why the government can’t track you even if you have an ID card with a digital element in it.

Having the digital credentials, the voter is no longer tied to a particular voting location – people on business trips, temporarily living abroad, handicapped, or in any other way unable or unwilling to be present at the voting station on election day/week, will still be able to vote on the internet, provided they have a reader for their card.

Having said that, client-side security must be taken into account as well – the block chain guarantees the data is are secure once transmitted and results can’t be changed, but (as shown in a recent audit of the Estonian e-voting) there may be client-side attacks. What happens if the computer of the voter (or worse – the tablet at the voting station) is infected by malicious software. This is the case where a real security expert should step in, and many cases should be considered, because I can only suggest general principles. Of course, the identification card is protected by PIN, and the reader can have a simple external keyboard to prevent a trojan horse to cast a vote on behalf of the voter. And having a secure smart-card (or smart-card-like) device makes sure that when you cast a vote nobody can intercept and replace that. But can malicious code interfere with the communication of the device by preventing the vote to be cast, needs further research. I think that it is possible to be secure enough, as to prevent fraud on a large scale.

The staff the facilitates the voting process would need to switch the terminals (tablets) on, and that’s all. Since voting is activated by a card, they don’t need to manually activate it. All they have to do is make sure nobody steals a device, but that’s simple – a sound can be played if the device is disconnected, or moved, for example (a technique used in many shops nowadays). The start and the end of the election day can probably be given by all members of the section commission putting their digital cards in the reader.

And the final point is edge cases. What happens if the power is down? Well, batteries should last sufficiently long. And portable battery chargers can be distributed as well. What happens if the internet is down? And what about voting stations that don’t have access to the internet? If the internet goes down, results can be cached locally until the internet is back. “Paper trail” is something that can be used as a backup – each vote is printed and stored (automatically) in a box, and in case there are problems with the technology, we revert to the old-school way. And even if there is no cable/ADSL internet, or it goes down, 3G/GPRS is normally available (a contract with the mobile carriers has to be signed for the elections, of course, but bureaucracy is offtopic).

So, the solution outlined above depends on having a card, on complex software, on further client security investigation and also needs a lot of logistics considerations – for delivering and connecting the devices, contracts, etc. Regardless of all these ifs, it seems like technology is giving us a way to do elections digitally, and we should put some effort in that direction. Companies providing e-voting solutions can do that, but they should not rely on closed-source software, and would better rely on commodity hardware, making their business model a bit different.

And last, but not least – a lot of government and societal effort will be needed as well, even after the technology is in place.

6 thoughts on “An Architecture for E-Voting”

It’s simple. Census could be built by hash keys from people information ( name + surname + birthdate + PID + ¿other bio info?), but there couln’t be any database to map these informaticion.
When you vote, the system must generate that hash and check it in its database (bigdata)
Indeed,this info is useless if someone wants to steals it

A drawback ( for me ) is as the votes must be saved into some kind of persistent store , it could be possible to extract partial results .
To avoid extraction partial results :

– votes must be saved encrypted into different databases , whose size was so small that it was impossible to extract relevant reports if database is hijacked.

Very interesting post. In case of power or internet down problem it should be possible to make a vote offline and sync later on. Of course syncing is possible till a fixed point in time and it requires client application to be also secure enough. Solving the whole problem seems problematic but also very, very interesting. Will there be any implementation in Bulgaria?